On Sat, Oct 5, 2019 at 12:54:35AM +0200, Tomas Vondra wrote: > On Fri, Oct 04, 2019 at 06:06:10PM -0400, Bruce Momjian wrote: > > For full-cluster TDE with AES-NI-enabled, the performance impact is > > usually ~4%, so doing anything more granular doesn't seem useful. See > > this PGCon presentation with charts: > > > > https://www.youtube.com/watch?v=TXKoo2SNMzk#t=27m50s > > > > Having anthing more fine-grained that all-cluster didn't seem worth it. > > Using per-user keys is useful, but also much harder to implement. > > > > Not sure I follow. I thought you are asking why Oracle apparently does > not leverage AES-NI for column-level encryption (at least according to > the document I linked)? And I don't know why that's the case.
No, I read it as Oracle saying that there isn't much value to per-column encryption if you have crypto hardware acceleration, because the all-cluster encryption overhead is so minor. > FWIW performance is just one (supposed) benefit of column encryption, > even if all-cluster encryption is just as fast, there might be other > reasons to support it. Well, there is per-user/db encryption, but I think that needs to be done at the SQL level. -- Bruce Momjian <br...@momjian.us> http://momjian.us EnterpriseDB http://enterprisedb.com + As you are, so once was I. As I am, so you will be. + + Ancient Roman grave inscription +
